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MANAGING POLICY RULES IN A NETWORK 

This invention relates to managing policy rules in a 
network. 

BACKGROUND 

Increased use of networks such as local area networks 
(LAN) and wide area networks (WAN) creates network traffic 
from sources such as application software, network 
applications, network operating systems (NOS) and distributed 
database programs that generate various ""housekeeping 1 1 
messages. Policy Based Network Management (PBM) environments 
offer one solution to managing this increasing network 
traffic. PBM environments involve the establishment of 
priorities for network traffic based on parameters such as 
traffic-type, application and user identification. Many 
network transmission technologies such as Asynchronous 
Transfer Mode (ATM) have great success with this type of 
traffic management as a result of increasing Quality of 
Service (QoS) levels. Servers on the PBM network send out the 
policy rules to a number of devices present on the network. 
The devices receive policy rules and translate the rules to a 
format that is meaningful to the device. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 illustrates an exemplary transaction system. 
Fig. 2 illustrates a policy server and devices on a local 
area network. 

Fig. 3 illustrates an implementation of a policy tree. 

Fig. 4 illustrates a flow chart for an exemplary proxy 
agent process . 

Fig. 5 illustrates a flow chart for an exemplary 
translation process. 
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Fig. 6 illustrates a flow chart of an implementation of 
access list filter generation. 



DETAILED DESCRIPTION 

As shown in Fig. 1, a transaction system 100 facilitates 
5 transactions between a corporate local area network (LAN) 105 

and one or more devices attached to the corporate LAN 105. 
One or more clients 110 can be attached to the LAN locally for 
access to corporate databases 112 or other devices (not 
shown) . The LAN 105 can also serve as a gateway to the 
10 Internet or other network 13 0. A remote user 12 0 can access 

the corporate LAN either directly (not shown) or through the 
Internet/network 130. The remote user 120 may have a browser 



STSts 



'S3* 



^1 125 attached to it. The LAN 105 may have one or more servers 

connected to it to handle data and transactions on the LAN 

105. For example, a policy server 115 is a shared computer on 

the corporate LAN 105 that handles data and transactions that 

relate to policies, policy delivery and policy enforcement on 

the LAN 105 and occur between the clients 110 and databases 

112 or other devices. 

Fig. 2 illustrates an expanded view of the transaction 

system 100 in Fig. 1. A policy server 210 and attached 

devices 215, 220, 221 are connected on a corporate LAN 205. 

Several software applications and processes reside on the 

policy server 210. One process that resides on the policy 

25 server 210 is a policy-implementation and enforcement (PIE) 

process 210a. Associated with the PIE process 210a are 

multiple data structures in the form of filters 210b that 

allow access between devices attached to the LAN 205, such as 

the client 215 and devices that can access the LAN 2 05 

30 externally, such as a remote client 240. The filters 210b can 

be programmed either to permit or deny one device from 

accessing another device. For example, the remote client 240 , 

which may be a small office home office (SOHO) may want to 

initiate a virtual private network (VPN) session with the LAN 

35 205. A VPN gateway, which in this case is client 240, to the 
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LAN 2 05 can be programmed, for example, with a policy from the 
server 210 to allow the remote client 24 0 only to arrange 
access of a client device 245 directly into the LAN 2 05, but 
not to allow a connection by the client device 245 to the 
Internet 230. As another example, the client 215 may be a 
computer belonging to a company salesman. The policies on the 
LAN 205 would create a filter 210b that would allow the client 
215 to access a customer database 220, but not to access an 
employee database 221 that contains employees' records. 

Each device on the LAN 2 05, such as the client 215, has a 
proxy agent 215a residing on it. The proxy agent 215a 
receives policy rules from the policy server 210. The policy 
rules contain data structures for an access control list 210d 
and filters 210c to configure the client 215. The client 215 
uses the access control list and filters to determine which 
other devices or databases 220, 221 that it is permitted to 
access. The filters generated from multiple rules can be 
added to one list or be placed on several different lists. 
The proxy agent 215a receives the policies in units called 
"policy groups 1 ! 215c, each of which is targeted to several 
locations on the device. For example, one policy group 215c 
can determine which databases 220, 221 the client 215 can 
access. Another policy group 215c can determine what access 
the client 215 can have to networks outside the corporate LAN 
205 such as Internet 230. The policy groups 215c specifically 
contain the data structures for access lists 210d and filters 
210c. 

In another embodiment, the proxy agent 215a, manages one 
or more devices on the corporate LAN 2 05 that provide networks 
services such as routing, switching and packet shaping. 

A policy group 215c can be implemented as a tree 
structure that includes several layers. 

Fig. 3 illustrates an exemplary policy tree 300. There 
may be several policy groups in the network system 100 (Fig. 
1) . The policy tree 300 typically represents one policy group 
305. The policy tree 300 typically includes several layers 
including, but not limited to, instance, rule, condition type 
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and entry group layers. In other implementations, policy 
trees can have additional or different layers. The instance 
layer defines the policy instances, such as the priorities 
that are provided by the policy server 210. A policy instance 
5 includes an action and a list of policy rules. If any of the 

rules evaluate to TRUE, then the action is applied on the 
network. If none of the rules are TRUE then the action is not 
applied. The rule layer defines the policy rules provided by 
the policy server 210. A policy rule is a list of conditions, 

10 each of which contains a set of values. A condition is TRUE 

if it matches one or more of the values in the set. A policy 
rule is TRUE if all of the conditions are TRUE. Therefore the 
conditions have an ""OR !I relationship and the rules have an 

13 ""AND 1 1 relationship. Policy instances, rules and conditions 

l&|f are discussed in detail below with respect to condition and 

Ul rule simplification. 

^ As illustrated by the policy tree 300, each policy 

f|| instance (such as priority 7) can be expanded into several 

^ policy rules. From the proxy agent's 215a perspective, each 

2j6| policy instance or each policy rule represents a set of 

W conditions that must be translated into an access list. Each 

£j rule is translated into a set of filters, and the filters 

O generated from multiple rules can be added to the same list or 

^ can be placed on separate lists. 

25 As shown in Fig. 3, the policy group 3 05 includes an 

instance defining ""Priority n !I , with a corresponding ""Rule 
n M , ""Condition Type n" associated with ""Rule n ,! and an 
""Entry/Value n M that defines the details of ""Rule n ,T . For 
example, ""Priority 0 ,T may correspond to an instance of the 

30 policy group that allows access to specific company files. 

""Rule 0 ' ' may then correspond to specific persons in the 
company that are permitted that access, in this case the 
regular file transfer protocol (FTP) traffic on the corporate 
LAN 205. ""Condition Type 0 M corresponds to the conditions 

35 that have to be met in order for the FTP to have access to the 

files, in this case simply the software applications available 
on the corporate LAN 205. ""Entry/Value 0 11 corresponds to the 
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specific details of the conditions that allow access, in this 
case the FTP address of the application 320. 

The policy tree also can be more complex. For example, 
"Priority 7 11 may correspond to a more restricted policy 
5 instance in the policy group 305. This instance defines a 

rule 342 that corresponds to the executive staff and may 
define access to more sensitive company files such as employee 
records or proprietary information associated with an initial 
public offering, for example. One condition 350 defines the 
10 source subnet where the information is stored. The 

entry/group 360 gives the specific address IP 10.10.1.* 360. 
Another condition 3 52 is that the staff can access the 
information only during specified days of the week. The 
O entry/group 3 62 defines those days to be Monday through 

l|f Friday. Other rules 344, 346 under ""Policy 7 ,! relate to 

M traffic to and from the information technology (IT) manager 

If 344, 346. The source address 354 and the destination address 

Hi 356 are conditions associated with the rules 344 and 346 

% i respectively. In this example, the source and destination 

2£h address entry/group designations 3 64, 3 66 are identical 

M 10.10.5.7. 

The policy tree 3 00 is illustrative and does not limit 
O the number of policy tree structures that can be used in other 

~" implementations . 

25 Fig. 4 illustrates a flow chart of an implementation of a 

proxy agent process 400 in which policy rules are translated 
into access lists. The proxy agent 215a residing on the 
client device 215 first receives 410 the policy rule. If 
there are any conditions associated with the rule, the 

30 conditions are simplified 420. The rule itself is then 

simplified 430 (as discussed further below) . Once the rules 
and conditions are simplified then access lists are created 
440. The access lists are then used to generate the filters 
450 . 

35 

Condition and Rule Simplification 
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As discussed above, policy rules are received as a policy 
group 305 in the form of a policy tree 300 that determines how 
the rules will be translated into policy data that the client 
device 215 can interpret and implement. When the proxy agent 
5 215a receives policy rules from the policy server 210, the 

policy group 305 typically is in a format that the client 
device 215 cannot interpret. The proxy agent 215a therefore 
translates the policy group 305 into specific data (policy 
values) that the device can interpret. A proxy agent 
10 preprocessor 215b (Fig. 2) handles the translation of the 

policy rules into policy values using the policy tree 300. 

Fig. 5 illustrates a flowchart of a translation process 
^ corresponding to the rule simplification (43 0 in Fig. 4) . The 

translation includes an expansion 510 of the group 305 into 
V§1 the several conditions. This group expansion results in a 

34 large set of policy values that are useable by the client 
;C device 215. 

n There may be several identical policy values in a policy 

s group 3 05. For example, as shown in Fig. 4, the policy values 

364 and 366 corresponding to the condition type's ""source 

Ml 

|i| address M 354 and "destination address* 1 356 respectively, are 

identical. The proxy agent 215a is programmed to handle 
R possibilities of policy value duplication in order to deliver 

the correct policy values to the corresponding destinations on 
25 the client device 215. 

Referring again to Fig. 5, in addition to group expansion 
510, group exclusion 52 0 also is performed. For each policy 
instance in a policy group 305, there exists an action X with 
an associated set of rules that can be represented as: 

30 

r k = {r l9 r 2 ...r n } . 

The action X is performed if any one or more of the rules r k 

is true. An individual condition is true if the condition 

35 equals one of the policy values in the list of entries. 
Therefore, ""OR' 1 logic is applied at the rule level; that is, 



-6- 



Attorney's Docket No. 10559-151001 
Client's Ref. No. P7976 



if r x OR r 2 OR r n is true, perform X. However, ""AND M logic is 

applied at the condition level;. in other words, all conditions 
associated with a rule must be met in order for X to be 

performed. For the set of rules r k discussed above, there may 

5 be the following associated conditions: 



and 



10 



C 3 > C 4 



III 



Therefore, assuming that the rules r } and r 2 are the only rules 
in r k , either r x or r 2 must be true for X to be performed. If 
i§ r } is true, then using the ""AND 1 ' logic, both c Y and c 2 must be 

true for X to be performed. Similarly, if r 2 is true then 

5 c 3 and c 4 must be true. Finally, ""OR 1 ' logic is applied at the 

^ policy entry/value level. 

Ill Referring back to Fig. 3, for example, the policy 

Jg : instance for Priority 0 can be expressed as ""give Priority 0 

X to a packet if its application type is FTP 1 1 . The policy 

instance for Priority 7 can be expressed as ""give Priority 7 
to a packet if it has a source subnet of 10.10.1.* AND is 
sent on Monday through Friday , OR if it is sent from address 
25 10.10.5.7 , OR if it is sent to address 10.10.5.7. 

More specifically, a policy instance can be expressed as 

follows: IF (r x ) OR ( r 2 ) . . . OR ( r k ) THEN perform {x} . 
Similarly, a policy rule can be expressed as follows: IF {c Y = 

{A OR B OR ... N}) AND ( c 2 = {C OR D OR... M}) AND ... ( c k = 

30 {X OR Y OR ... Z}) THEN (Rule = TRUE) . 

Similarly, any condition in a rule may use negative 
logic. The effect of using negative logic is to exclude 
values for the condition. For example, the system could 
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compose a rule that states, "give Priority 0 to a packet if 
its application type is FTP AND its destination address is NOT 
10.10.5.7 11 . In this case, the condition type for the 
destination address would have an "exclude" flag set to 
5 indicate that negative logic is to be used for that condition. 

Other logic conditions can be used in other embodiments. 

The use of exclusion also can be used for assigning an 
action to all members of a particular group. For example, a 
rule can read, "give Priority 2 to a packet if the packet's 
10 source address is in Group A and if its source address is not 

X, where X is a member of Group A. ' ' In this example, the 
proxy agent preprocessor 215b interprets the rule as 
^ containing two condition type lists for the same condition, 

rJ3 one with the exclude flag set and one without the exclude flag 

lj§ set. The same entry value may appear on both lists without 

J the use of groups. The system 100 also can compose polices 

* that include and exclude values for the same condition type. 

Some of the condition types that are used to create 
s policies for access lists are interrelated. For example, a 

M condition type might be the sub-network from which the packet 

M originated. A related condition type may be the address from 

2 which the packet originated. Another condition type that can 

5 be used for access type policies is the application associated 

with the packet, identified by either the packet's source or 
25 destination port. Related to this condition type are the 

individual condition types that specify the source port or the 
destination port. There is the potential that related 
condition types might conflict with each other, because the 
user can compose rules that specify all of these condition 
30 types . 

Rule simplification reduces a policy group into a rule 
that preferably contains no irrelevant or redundant 
information. In some cases, the simplified rule will be the 
same as the original rule. In other cases, the simplified 
35 rule is different from the original rule, if, during the 

translation process, unnecessary information was removed from 
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the rule as a result of using groups exclusion and related 
condition types. 

Referring again to Fig. 5, after group exclusion 52 0 is 
performed, the entry values are extracted for each condition 
5 type and an access list is built 53 0 into a set of arrays. 

There are two arrays for each condition type, one for the 
"included' 1 values specified for the condition and another 
array for the "excluded' ' values specified for the condition. 
In some cases, the excluded values for a condition type may be 
10 merged with the excluded values of related condition types, by 

eliminating the ""excluded" array for that type. In one 
embodiment, the arrays are vectors of values appropriate for 
the condition type. Redundant or duplicate information is 
Q removed 54 0 from each list. For some condition types, one 

l4 entry value may imply another, so that only the second entry 

til value needs to be present on the access list. A 

* reconciliation of the lists of included and excluded entries 

iJJ for the same condition type is performed 550. For example, 

% 4 intended entries that appear on both the excluded list and the 

2ft included list for the same condition type are removed from the 

M included list. The entries in the lists of related condition 

f s types are compared and it is determined which entries in the 

q affected lists are consistent with one another. Related 

^ condition types are then resolved 560. Irrelevant entries are 

25 removed from the lists 570. Irrelevant data is a condition 

value that does not contribute to the rules and therefore does 
not need to be accounted in the resulting access list. For 
example, the rule IF IP_Address = {A OR B} AND IP_Address NOT 
{c} does not need the excluded condition IP_Address NOT C. 
30 Therefore, the latter condition can be ignored. Similarly, 

redundant data can arise if groups containing overlapping 
values are used to create rules. For example, if Group 1 
contains (A, B, and C) and Group 2 contains (C, D, and E) , 
then a policy rule that says IF IP_Address = {Group 1 OR Group 
35 2}, this would expand to (A, B, C, C, D, E) . In that case, 

removing the redundant data simply means removing the 
additional C. 

-9- 
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If a rule that results from 550 and a rule that results 
from 560 are inconsistent, then the preprocessor 215b rejects 
the rule 570 because it is impossible to satisfy. For 
example, if all the entries on the included list are also on 
the excluded list, then the rule is impossible to satisfy and 
it is rejected. 

Access List Creation and Filter Generation 
The include and exclude arrays that result from the 
simplified rule discussed above yield an "access list" (in 
other words, the set of arrays) (44 0 Fig. 4) . At the end of 
the rule simplification process, the access list is used to 
generate access list filters. The arrays that emerge from the 
process may represent the same condition types (either 
included or excluded) as those in the original rule. However, 
the rule simplification process may create ""paired" 
conditions if it is convenient for the particular condition 
types. For example, a condition type may represent a pair of 
port numbers, one for source and one for destination. If this 
type of pairing is performed, it serves as a preliminary step 
to building the actual filters. 

Fig. 6 illustrates an implementation of a flow chart for 
an access list filter generation process 600. The simplified 
rule is used to add 610 deny filters and to add 620 permit 
filters. To add a deny filter 610, one filter is created for 
each entry in the non-empty exclude array by combining the 
entry with an entry in each of the include arrays for the 
other condition types. If any of the other conditions types 
has an empty include array, then for this purpose that array 
is considered to be an array containing a single entry that is 
set to ""any value". The number of deny filters created for 
each exclude entry is the number of distinct combinations that 
can be created from the entries in the include arrays for he 
other condition types. 

To add a permit filter 620, one entry is selected from 
each non-empty include array and these entry values are 
combined to form a single permit filter. If any of the 
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condition types has an empty include array, then for this 
purpose the array is considered to be an array containing a 
single entry that is set to ""any value". The number of 
permit filters created is the number of distinct combinations 

5 that can be created from the entries in the include arrays. 

Condition values associated with a packet are matched to 
the filters in the order the filters appear on the access 
list. If the packet's values do not match any filter on the 
list, the default action is to disallow the packet, and access 
10 is therefore denied . 

In one implementation, filter generation uses the arrays 
generated from the redundancy checks along with a set of 
indices, one index for each included and excluded array. The 

CI index represents an individual value within the array. To 

lSf generate an individual filter, each index is set to a 

til particular value and the filter is created from the array 

values at those indices. An index value of "-l'' indicates 

% that the value is unspecified for that particular condition. 

^1 As an example, it is assumed that there are six 

conditions that contribute to a filter: c l ,c 2 ,c 3 ,c 4 ,c 5 ,c 6 , where 

ri the conditions are: 





Ci = 


Source IP Address and Mask 


Of J 


<?2 = 


Destination IP Address and Mask 




c 3 = 


Source Port and Protocol 


25 


c 4 = 


Destination Port and Protocol 




c 5 = 


IP Protocol 




c 6 = 


IP Precedence. 



Each condition has deny and permit indices, d l ,d 2 ,d 3 ,d 4 ,d 5 ,d 6 and 
30 PiiPi^PiiPaiPsiPs * respectively, for the exclude and include 

arrays E = (E x [d r ],E 2 [d 2 ],E 3 [d 3 ],E 4 [d 4 ] 9 E s [d 6 ]) and 

I = (Ii[Pi]J 2 iP2l I 3[Pil I 4[P4l I 5[P5l I 6[P6]) • The conditions and arrays 
can be generalized to N conditions and N arrays. Typically 
the deny filter is created first. A deny filter is created by 
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first determining which exclude arrays are non-empty (after 
exclusion and redundancy checks have been performed) , and 
combining the elements of these arrays with the elements of 
the non-empty include arrays for the other conditions types. 
If, for a given excluded condition, all the other condition 
types have empty include arrays, then for each entry in the 
exclude array, a single deny filter is generated that 
specifies only the value for the excluded condition. As 
stated above, to create deny filters, each exclude array entry 
is combined with each include array entry and repeated until 
all filters are created. Six include arrays and one exclude 
array may look like the following: 



1 ± = {1.2.0.0/255.255.0.0, 

3.4.10.0/255.255.0.0} 
I a = {9.8.7.6} 

1 3 = {100/TCP, 500/UDP} 

1 4 = {600/TCP, 500/UDP} 



After combining the arrays as described above and removing 
irrelevant and redundant data, a typical deny filter may then 
look like: 



{ } 
{i} 



E 1 = {1.2.10.0/255.255.255.0, 
3.4.10.0/255.255.255.0} 



EjdJ 



1.2.10.0/2 55.255.2 55.0 



I 2 [d 2 ] 



9.8.7.6 



100/TCP 



I 4 [d 4 ] 



600/TCP 



Unspecified 



1 
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Permit filters are created by combining each include array 
element with the include array elements of all the include 
arrays. After combining the elements in the arrays and 
removing the irrelevant and redundant data, a typical permit 
filter may then look like: 



II [pj 


= 1.2.0.0/255.255.0.0 


I 2 [p 2 ] 


= 9.8.7.6 


MP3] 


= 100/TCP 


I4 [pj 


= 600/TCP 


I 5 [p 5 ] 


= Unspecified 


I s [p 6 ] 


= 1 



Additional filters that are created from the specified 
conditions, c 19 c 29 c 39 c 4 ,c s ,c 6 . The deny and permit filters 
discussed above are only illustrative of the types of filters 
that can be generated in this example. Other combinations as 
well as other condition types can be generated. 

In another implementation an alternate form of 
translation can generate deny conditions. This alternate form 
of the translated access list can be used for any device that 
can handle multiple access lists for a policy type. For 
example, if a device can evaluate more than one access list to 
determine the priority to which a particular packet should be 
assigned, then the translation can be optimized. Each policy 
rule is placed into a separate access list. For the filter 
generation, each entry in the non-empty exclude array 
generates a deny filter that specifies only the denied value, 
with all other condition types unspecified. Permit filters 
are handled in a similar way. When handling a packet, the 
first access list is consulted, and each filter is checked 
against the packet values. If the packet matches a permit 
filter, the action associated with the policy is taken and no 
further filters or access lists are checked. If the packet 
matches a deny filter, then no more filters in the current 
access list are checked and the device proceeds to the next 
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access list and begins checking the packet against those 
filters. If the packet does not match any filters in the 
access list the device proceeds to the next access list and 
begins checking the packet against those filters. 

The systems and techniques described here can enable a 
number of devices on a network to be managed effectively with 
one uniform set of policy rules and enable the devices to 
uniquely translate the policy rules to a format that is 
meaningful to each device. 

Various aspects of the proxy agent 215a may be 
implemented in digital circuitry, or in computer hardware, 
firmware, software, or in combinations of them. Apparatus of 
the invention may be implemented in computer products embodied 
in a machine-readable storage device for execution by a 
programmable processor. The foregoing techniques may be 
performed, for example, by a programmable processor executing 
a program of instructions to perform functions of the 
invention by operating on input data and generating output. 
The techniques may be implemented in one or more computer 
programs that are executable on a programmable system 
including at least one programmable processor coupled to 
receive data and instructions from, and to transmit data and 
instructions to, a data storage system, at least one in/out 
device, and at least one output device. Each computer program 
may be implemented in a high-level procedural or object- 
oriented programming language, or in assembly or machine 
language if desired; and in any case, the language may be 
compiled or interpreted language. Suitable processors 
include, by way of example, both general and special purpose 
microprocessors. Generally, a processor will receive 
instructions and data from read-only memory and/or random 
access memory. Storage devices suitable for tangibly 
embodying computer program instructions and data include all 
forms of non-volatile memory, including by way of example, 
semiconductor devices, such as EPROM, EE PROM, and flash memory 
devices; magnetic disks such as internal hard disks and 
removable disks; magneto-optical disks; and CD-ROM disks. Any 
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of the foregoing may be supplemented by or incorporated in, 
specially-designed application-specific integrated circuits 
(ASICS) . 

Other implementations are within the scope of the 
5 following claims . 
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What is ca. aimed is: 

1 l/ A method, comprising: 

2 based on policy rules, creating an access control 

3 list adapted to configure a network device; and 

4 using the access control list to generate access 

5 filters. 

1 2 . The method of claim 1 further comprising expanding 

2 the policy rules into value groups that represent 

3 conditions associated with the policy rules. 

1 

D 3 . The method of claim 2 further comprising excluding 
§5 conditions that would otherwise be implied by the 

3y rules. 

% 4. The method of claim 3 further comprising resolving 
2j inconsistent conditions that result from expanding 

3 the policy rules and excluding the policy rule 

W\ conditions. 

f& 5. The method of claim 1 further comprising creating at 
jf least one array of included or excluded conditions 

3 from the policy rules. 

1 6. The method of claim 5 wherein generating the access 

2 filters further comprises: 

3 adding filters adapted to control access of a device 

4 to another component in the network. 

1 7. The method of claim 6 further comprising generating 

2 deny filters by combining the at least one array of 

3 excluded conditions and the at least one array of 

4 included conditions. 

1 8. The method of claim 6 further comprising generating 

2 permit filters by combining the at least one of the 
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3 arrays of the included conditions with the remaining 

4 arrays of included conditions. 

1 A computer network, comprising: 

2 a first device adapted to disseminate policy rules 

3 in the network; and 

4 a second device adapted to receive the policy rules 

5 disseminated on the network by the first device and 

6 adapted to: 

7 based on policy rules, create an access 

8 control list adapted to configure the at 
go least one device from the filters; 

ljj^ and to use the access control list to 

m 

l|j generate access filters from the 

l|B translated policies. 

f 10. The system of claim 9 wherein the second device 

111 further comprises a permit filter. 

til 

T 11. The system of claim 10 further comprising a 

IS plurality of data-storage devices adapted to permit 

W access to the second device. 

1 12 . The system of claim 9 wherein the second device 

2 further comprises a deny filter. 

1 13 . The system of claim 12 further comprising a 

2 plurality of data- storage devices adapted to deny 

3 access to the second device. 

1 L4. An article comprising a computer-readable medium 

2 which stores computer executable instructions for 

3 managing policy rules on a network, the instructions 

4 causing a computer to: 
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5 based on policy rules, create an access control 

6 list adapted to configure the devices from the simplified 

7 rules ; and 

use the access control list to generate access 

The article of claim 14 further comprising 
instructions to expand the policy rules into value 
groups, wherein value groups represent conditions 
associated with the policy rules. 

The article of claim 15 wherein the instructions to 
translate the policy rules further includes 
instructions to exclude conditions that would 
otherwise be implied by the policy rules. 

The article of claim 16 wherein the instructions to 
translate the policy rules further includes 
instructions to resolve inconsistent conditions that 
result from expanding the policy rules and excluding 
the policy rule conditions. 

A network device, comprising: 



¥ a configurable management process located on the device 

3 having instructions to: 

4 receive the policy rules in a network device; 

5 translate the policy rules to a set of 

6 simplified rules; 

7 create an access control list adapted to 

8 configure the devices from the simplified rules; and 

9 use the access control list to generate access 
10 filters. 

1 19. The device of claim 18 further comprising a 

2 connection to an external network. 



8 
9 

1 
2 
3 
4 

1 

2 



filters 
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1 20. The device of claim 19 wherein the external network 

2 is a local area network. 

1 21. The device of claim 19 wherein the external network 

2 is the Internet. 

1 2y, A method of managing access by a device on a network 

2 to adbther component on the network, comprising: 

3 providing policy rules that determine the access of 

4 the device to the component . 

1 23. The method of claim 22 wherein the policy rules 

2 comprise: 

3 an access control list including the conditions that 
|S allow the device to access the component; and 

§] filters for implementing the access. 

^ 24. The method of claim 22 wherein the access control 

1§ list comprises include and exclude arrays that are combined to 

>- generate the filters. 
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ABSTRACT OF THE INVENTION 

Policy rules are disseminated on a network and are 
received by one or more devices on the network. Each device 
is configured with a proxy agent that translates the policy 
data into a format that is meaningful to the device. The 
agent translates the policy rules into an access list that 
generates permit and deny filters that determine the access 
that the device is allowed on the network. 
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